Question
How can I use the new feature in Plesk 18.0.56 that allows Apache Web Server to listen on localhost on ports 7080 and 7081?
Answer
In Plesk 18.0.56, a new security feature (PPP-43250) was introduced that restricts the Apache web server to listening only on localhost ports 7080 and 7081, thereby increasing server security. This feature is particularly active when Apache is running with nginx as a reverse proxy, listening only on the loopback IP address.
The feature is manipulated using the CLI command plesk bin apache --listen-on-localhost
<true|false>
, which enables or disables Apache's localhost mode. For new Plesk installations, this mode is enabled by default. However, for Plesk upgrades, localhost mode remains disabled by default.
It's important to note that existing custom hosting templates may require adjustments to function properly in localhost mode, depending on the modifications made to the template. This is an important consideration to ensure the smooth operation of your server configurations.
Comments
10 comments
Should you not explain here how to set it on/off?
> The new CLI command
plesk bin apache --listen-on-localhost
can be used to turn on/off Apache localhost mode.Is here true/false missing? And set this command the default behavior permanent or only temporary?
And the hint where to find the "panel.ini" file is missing. Like linked to https://docs.plesk.com/de-DE/obsidian/administrator-guide/plesk-administration/konfigurationsdatei-panelini.78509/
If apacheListenLocalhost is set to true Plesk AW-Stats feature does not work anymore, because the IP in Serverlogs ist always 127.0.0.1
The external IP that hits the NGINX Reverse-Proxy should be parsed to the logs, otherwise it will never work because all visitors come from the same IP adress.
Please fix this and use X-Real-IP or something else.
With that feature turned on, I am not able to retrieve visitor's ip address via
PHP $_SERVER[ 'REMOTE_ADDR' ]
"Allow from xxx.xxx.xxx.xxx" via .htaccess is not possible, too.
Any solution for that?
Thanks for the recommendations Karl May, implemented accordingly.
TorbHo and concedra gmbh, thank you for reporting the described behavior. This will be fixed in the next hotfix for version 18.0.56.2.
For reference. PPPM-14170, Change Log for Plesk Obsidian
Does this really provide much additional security benefit? In any normal circumstance, wouldn't port 7080 and 7081 be closed at the firewall anyway? They certainly are on all my Plesk servers, so in that case - what benefit does this really offer?
Hi Gavin, while it's a good idea to close ports 7080 and 7081 on your firewall, it's important to remember that firewall configurations can vary widely from system to system. Not all users may have these ports closed on their firewalls.
The additional security benefit comes from the principle of "defense in depth". This is the use of multiple layers of security controls throughout an information technology (IT) system. The intent is to provide redundancy in the event that a security control fails or a vulnerability is exploited. In this context, even if a firewall fails or is misconfigured and these ports are left open, closing them at the application level provides an additional layer of security.
This approach helps reduce the risk of unauthorized access and potential attacks. It's always better to have multiple security measures in place, even if some of them may seem redundant in certain configurations.
Seems like a really illogical default. Anyone running a web server should be smart enough to have not opened those ports to begin with, or they should not be running a web server. If the difference between security and vulnerability is bypassing nginx to get to the web app via apache directly, then you're hardly practicing any defense in depth. It also makes the apache web logs useless given they show all the requests as localhost. I've got security related feature requests in to Plesk for years now that go unattended to, but hey, we prevented apache from serving requests directly while breaking a bunch of other stuff in the process, congrats.
Hi eCom Seller
Thank you for your feedback. We understand your concerns and appreciate the opportunity to provide clarification.
The decision to have Apache listen on localhost by default for new installations is indeed a security measure. While it's true that anyone running a web server should ideally have their firewall configured correctly, the reality is that configurations can vary widely. This feature provides an extra layer of security, following the principle of "defense in depth".
In terms of bypassing Nginx to go directly to the web application via Apache, this change doesn't eliminate other security measures in place. It's an additional layer, not a replacement. The goal is to reduce the attack surface and potential vulnerabilities.
Regarding the Apache web logs, we're pleased to report that the issue with Apache only displaying the localhost IP address has been resolved in the context of bug PPPM-14170 (27 October 2023). More details can be found in the Change Log for Plesk Obsidian.
We're sorry to hear about your unattended feature requests. We assure you that we take all customer feedback seriously and strive to improve our product based on user needs. We'll make sure to review your previous requests. Feel free to open a support request with a reference to your comment in this article so we can take a closer look.
We hope this clarifies the reasoning behind this feature. If you have any further questions or concerns, please don't hesitate to let us know.
I had an Ubuntu server doing it this morning:
18.0.57 Ubuntu 20.04 1800231218.09
127.0.0.1 - - [07/Feb/2024:15:06:10 +0000]...
Switched that off and it began logging properly again.
Please sign in to leave a comment.